With the rapid development of a variety of online applications, theft of network property such as a user account happens increasingly, thus a variety of network property of the user encounter more and more threats. The traditional way of a login password set by the user may be cracked by brute-force attacks, keyboard input interception, screen shots, etc., thus it is insufficient to prove the legitimacy of the user identity through an identity verification method based on merely password verification. In view of this, a way of verifying an identity credential pertaining to the user only is employed additional to prove the legitimacy of the user identity in online applications.
The current identity verification method consists of identity registration and identity authentication. The identity registration refers to negotiation with an authentication system over an identity credential pertaining to the user, and the identity authentication refers to determining the legitimacy of the user identity by the authentication system through verifying an identity credential pertaining to the user that is submitted by the user.
The current identity verification method is mostly based on verification of passwords, including static passwords and dynamic passwords. The static password is poor in security for being easy to be intercepted by keyboard Trojan horses and to be cracked by brute-force attacks. The dynamic password is randomly generated in use, is valid within a specified time period and may be validated only once, thus avoids the risk of being intercepted by Trojan horses, but still suffers from the possibility of phishing within a short time. Also, the user is required to enter user credential information for verifying the static and dynamic passwords, resulting in a potential possibility that the user credential information is illegally captured. Therefore, the security of the existing identity verification methods is not good enough, and there is a need for a new scheme to address the above problems.